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SERVICES WRITE-UPS 
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Mikhati vyatskovaka tis and MS 


MOTIVATION 


“Тһе main goal of RUCTFE is to share experience 


and knowledge in the computer security and to 


have some fun together.” 


— RuCTFE Rules 


RULES 


* Each team has an image 
٠ There are some services on this image 
e There are some vulnerabilities 


• Hack ет all! 


MINISTRY OF LOVE 


Maxim Muzafarov aka т messiah 


ABOUT SERVICE 


* Python 
e Jornado web server 
٠ Momoko 


e WebSockets 


WATCH CRIMES 


< Ministry of Love © 


2ZNUMF3OGWO9N: BATTERY HY361334: ROBBERY YFS68ORC8L13: BATTERY 


MM/Gonnyinzeik 2015-06-17 MZ/Menuca 2015- 


= 


VE/Pozo Claro 2015-06-21 = 


HY247738: CRIMINAL DAMAGE НҮ274492: THEFT IX5PTTZ4EOOG: ASSAULT 
lO/Wirawar 2015-05-05 RU/Novyye Gorby 2015-05-25 BR/Sitio Jose D. Zignani 2015- 
08-12 5 
011147ZBE8BW: OTHER OFFENSE HY282374: MOTOR VEHICLE THEFT 


nabhara Ki Dhani 2015- IE/Conaghra 2015-05-31 


REPORT A CRIME 


Report crime х 


>SAl 


HIC 


& In process 
& Public 


Send Cancel 


AUTHENTICATE 


— Ministry of Love © 


Pearl Bradley Isaac Butler Annette Harris 


Matthew Rhodes Jackie Armstrong Gladys Hayes 


Arianna Caldwell Jacgueline Schmidt 


HACK IT! 


SQL INJECTION 


@authorized 
@gen.coroutine 
def show_crimes(self, message): 
offset = message['params']['offset'] * 10 
try: 
cursor = yield self.application.db.execute( 


“select crimeid, name, article, city, 
“country, crimedate, public " 

"FROM crimes ORDER BY crimeid " 

"DESC limit 10 offset %s" % (offset, ) 
) 


db result = cursor.fetchall() 


SQL INJECTION 


cursor = yield self.application.db.execute( 


"select crimeid, name, article, city, 
"country, crimedate, public " 
"FROM crimes ORDER BY crimeid " 


"DESC limit 10 offset %s" % (offset,) 
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PROFILE SPOOFING 


yield self.application.db.execute( 
"INSERT INTO users(uid, username, password, role, profile)" 
"VALUES (%(uid)s, %(username)s, " 
"%(password)s, %(role)s, %(profile)s)", 
user 


Bind profile 
without authentication 


PROFILE SPOOFING 


HY361334 ROBBERY 


City  MZ/Menuca 

Date J 
Description 
Judgement 
Closed 
Participants 


Profile ids are visible 
in open crimes 


& 0 Elements | Network 


пе Р Audits 
v 5 
h2>HY36 
V <dl class 
dt>Cit 
b <dd dd 
dt>Date</dt 
> «dd 
dt 
> «dd 
dt 
> «dd 
dt 
» «d 
dt 
V «dd 
::before 
a onclick data-uid="23ddd0d8-16be-4f04-9bd1-6fb22c67100b">Brett Palmer</a 
a onclick data-uid 8 
a onclick data-uid 
a onclick data-uid a 


SAME DATABASE 


e Each team has similar database 


e Each team has all authentication data 


“BACKDOOR” 


user['role'] = len(user['username']) > 3 


_ Sploit 


bit.ly/ructfe mol 


MINISTRY OF TAXES 


Pavel Blinov aka pahaz 


ABOUT SERVICE 


٠ Node.js 
٠ Koa web framework 


e Custom router 


ADD PERSONAL DATA 


Profile 


Thou Very Personal Profile 


Save 


UPLOAD REPORT 


Upload your tax declaration 


Select your personal data and upload tax declaration 


Go to the profile page to fill in personal data 


Thou Very Personal Profile 


Choose Files | Thou Report xml 


Upload 


UPLOAD REPORT 


OK, we uploaded your file! 


Click here to download just uploaded declaration 


| Thou Very Personal Profile Very Secret Data 


HACK IT! 


WEAK ID GENERATION 


var id = md5(seconds()); 


So nat‘ 


WEAK ID GENERATION 


var pdata = yield db.pdata.findone(4' 19": kwargs['pdata'])); 


UPLOAD.IS 


YUNO CHECK USER 


REMOTE CODE EXECUTION 


} else if (regex.test(name)) { 
try { 
console.log("try ./" + name.replace('.', '/')); 
reguire("./" + name.replace('.', '/'((; 


CODE EXECUTION‏ וא 


require(”./” replace('.', '/')); 


x sploit 
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ELECTIONS FOR E-DEMOCRACY 


Konstantin Plotnikov aka kost 


ABOUT SERVICE 


e СЯ + Mono 


e Homomorphic encryption 


ELECTIONS 


>- Electro 


Electro 


Start election 


Find election 


Existing elections 


Election SDWsnWx! 


N 


mir till: 2015 


Winner: Nigel Brooks 431481529 


Nominate till: 2015-11-24T20:09:25 
Vote till: 2015-11-24T20:09:35 


Winner: Albert Bailey 178921210 


Nominate till: 2015-11-24T20:09:22 
Vote till: 2015-11-24T20:17:22 


NOMINATE 


Electro 


Election gvM9CTgvpYfg 


Nominate 


Candidates 


Leonard Simmons 1000762633 


Votes 


No votes here by now 


VOTE 


>- Electro 


Electro 


Election gvM9CTgvpYfg 


Candidates 


Leonard Simmons 1000762633 


Indra Harris 26877691 


Votes 


GET ELECTED 


Electro 


Electro 


Election gvM9CTgvpYfg 


Candidates 


Leonard Simmons. 1000762633 ₪ 


H608VTAUSANOEH3W81 J7C9LOUZVMMQA- 


C6YVXM9ORFG8PWS18JSCJJ3WG1NXNL1= 


HACK IT! 


UNFILTERED INPUT 


٠ Client-side vote generation & encryption 
e Vote — vector of integers 


e Election result — sum of votes 


encrypt: function(vote vector, public key) 
var self = this; 


return $.map(vote vector, function(vot 
return self.encrypt bit(vote eleme 


y); 
7 


break & hack 


UNFILTERED INPUT 


UNFILTERED INPUT 


e Calculations are made modulo 243 
e Overflow competitor's value 


• Let the battle begins! 


WEAK PRIVATE KEY GENERATOR 


٠ Calculations are made modulo 243 = 3° 
* Private key - random number 
e Chance of them being non-coprime 


٠ 3 divides private key > сап decrypt 


WEAK PRIVATE KEY GENERATOR 


Electro 
Election_D9s1bIMm92sIpi 


Candidates 
E Agnes Tucker 465596423 EN 


JO obi M oral "Hen 9 51 1 58409 ЕЙ 


| Olive Williamson 485988707 E3 
B 


WEAK PRIVATE KEY GENERATOR 


Votes 


- 1 _ 
+ J O ]כ‎ 
LO OO ها‎ C со СҮ) ( - < 
LO 09 LO < 


nf 
< < ذم‎ 00 


WEAK PRIVATE KEY GENERATOR 


>>> for row in numbers: 
print ("".join([ str(num % 3) for num in row [(( 


000000000100000000000 
010000000000000000000 
000000000000000000100 


NASA RASA 


Andrey Gein aka andgein 


ABOUT SERVICE 


« PHP 
e MySQL 


REPORT A PLANET 


> NASA RASA 


Let us know about unknown planet 


Declination (from -90 to 90 degrees) 


30 
Hour angle (from -12 to 12 degrees) 
Brightness (from 0 to 100) 


Size (from 0 to 100) 


BROWSE DISCOVERED PLANETS 


> NASA RASA 


denrees 


Hour angle: / degrees 
Brightness: 85% 

Size 2/% 

Color: Dark Blue 


Message visible only for you 


Thy Very Secret Information 


BROWSE USERS 


| 


NASA RASA 


Last registered users 


Laquita Dambrosio 
Borson 


^ hr ו חן בי‎ 
ее Broadw 


Efren Antroni 


rancis Conc 


Lamar Gowens 


9. Aida Stewarts 


10. Rolande Arguelles 


HACK IT! 


HARDCODED DB CREDENTIALS 


Remember about RCE? 
Е | 


' ITOLD.YOU SO 


PADSPACE COLLATION 


CREATE TABLE test ) name varchar(10)); 
INSERT INTO test VALUES (а), (‘a '); 
SELECT COUNT(*) FROM test WHERE name = 'a'; 


bit.ly/ructfe collations 


HEALTH MONITOR 


Polina Zonova aka Klyaksa 


ABOUT SERVICE 


e GO 
٠ SQLite 


REPORT YOUR HEALTH 


>- Health Monitor 


How are you today? Write us your health indices and 
keep an eye on your progress! 


feel great! But that's a secret, shhh 


BROWSE YOUR PROGRESS 


Here are metrics you've added 


Weight Blood Pressure Pulse Walking Distance Comment 


80 120 80 10356 | feel great! But that's a secret, shhh 


HACK IT! 


AUTHENTICATION 


auth := mdShash(Key, uid) 

id := encodeBase64(uid) 

authCookie = http.Cookie{Name : "auth", Value 
idCookie = http.Cookie{Name : "id", Value: id 


HARDCODED SALT 


const Key string = "fllecd5521ddf2614e17e4fb074a86da" 


Plan: 

1. Set up vulnbox 

2. Change all passwords & keys 
3. Win 


LENGTH EXTENSION ATTACK 


٠ uids are serial — we can guess 


٠ Over 9k tools to perform MD5 LEA 


INTERPLANETARY MIGRATION AUTHORITY 


Dmitry Titarenko aka dscheg 


ABOUT SERVICE 


٠ Nim 


e Redis 


KNOW CITIZENS 


>- Mig 


Welcome to the website of Interplanetary Migration Authority. If you wa 
resident of planet Turio, you need to register first. If you already register 
MultiPass 


Many people choose planet Turio as their home. Here are some of them 


13:53:41 6 
135141 (>n<) 
49:41 jrpantal 
ן|74)‎ 3 
134541 (^-о-^)/"а 
43:41 therm8 
4 (=V = 


FILL MIGRATION 


>- Mig 


FORM... 


… BUT NOT QUITE 


HOME 


We need to check that your motives are pure and right from your heart. Generate some thought 


from your mind. To verify that you think like us, we ask you to fill the mental sign field using our 
thought 


be575199f7cb2572a8eb407e 


HACK IT! 


HARDCODED DB CREDENTIALS 


And again 
[Р 


1 TOLD YOU SO 


HMAC USING EXTERNAL LIBRARY 
proc rhash sha3(bits: int = sha3 256 hash size * 8, data cstring;) 


cstring type 


The cstring type represents a pointer to a zero-terminated char array 


zero-padded user 
has the same HMAC 


HMAC USING EXTERNAL LIBRARY 


٠ Login as one of citizens 


* Steal flag from the filled form 


MODIFYING LOCAL DATA 


٠ Form data stored on client side 
* Form data is encrypted 

e AES encryption in CBC mode 
٠ No integrity checks 


MODIFYING LOCAL DATA 


٠ We know plaintext - JSON with filled data 
let newCipherBlock = prevCipherBlock 
xor oldPlainBlock xor newPlainBlock 


٠ We сап modify ciphertext 


MODIFYING LOCAL DATA 


SAY NO CRYPTO ONE MORE TIME" 
| Bar’: тиа 

1 % А + > i к N 

Sis х 


4 


MITM 


e On step 3 we need to sign up a random value 


٠ Only checker has the private key 
* Lets hack value generation function 


٠ Check will sign everything for us 


bit.ly/ructfe mig sploit 
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ТНЕ ВАМК 


Alexander Bersenev aka bay 


ABOUT SERVICE 


де: 
e Mongoose 


e Custom dictionary 


CREATE ACCOUNTS 


/ en | Your bank accounts (Thee) 
| | С : k | | Account Balance 
SAL 5 у 4 | Тру Very First Account 100500Р 2 


Add money to the account (this is free and always will be): 


Thy Second Account 42 Add 


TRANSFER MONEY 


Transfer money 


From 


Thy Second Account 


ny Very First Account 


Amount 


Close Execute 


HACK IT! 


ACCESS LOGS 


bank.teamX.e.ructf.org/access.log 


€ 


84.201. 
84.201. 
84.201. 
84.201. 
84.201. 
84.201. 
84.201. 
84.201. 
84.201. 
84.201. 
84.201. 
84.201. 
"Python-urllib/3.2" 
84.201.188.132 - 
84.201.188.132 - 
84.201.188.132 - 


С D bank.zn.e.ructf.org/access.log 
57111011-01-1117 5.2 


188.132 
188.132 
188.132 
188.132 
188.132 
188.132 
188.132 
188.132 
188.132 
188.132 
188.132 
188.132 


[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 


[24/Nov/2015:17: 
[24/Nov/2015:17: 
[24/Nov/2015:17: 


56: 
56: 
:08 
:08 
:09 
:08 
:08 
:08 
:08 
:08 
:08 
:08 


98 
98 


:08 
:08 
:08 


10000] 
+0008] 
+0000] 
+0000] 
10000] 
410000] 
10000] 
+0000] 
+0008] 
+0000] 
+0009] 
+0000] 


+0000] 
+0000] 
+0000] 


“GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 
"GET 


"GET 
"GET 
"GET 


/account.cgi?login-Queevmos4Wukalom*Ghaessess HTTP/1.1" 200 5878 "-" "Python-urllib/3.2" 
/account.cgi?login=Niarine+Baomild+Sweentad HTTP/1.1" 200 3871 "-" "Python-urllib/3.2" 
/add money.cgi?amount=41225&login=Niarine+Baomild+Sweentad&account=8EV3ZORH9WEH3DRKJAFUZY2MYLS9121%3D HI 


/account.cgi?login=Niarine+Baomild+Sweentad НТТР/1.1" 200 5880 "-" "Python-urllib/3.2" 
/account.cgi?login=Ustshywar+Panndan+Noisgue HTTP/1.1" 200 5882 "-" "Python-urllib/3.2" 
/account.cgi?login=Kirayem+Daildsul+Hadyner HTTP/1.1" 200 3871 "-" "Python-urllib/3.2" 
/add money.cgi?amount-^^^^^^"--^- ووو جر המו ורי‎ ount-The+main+account+of+thouself HTTP/1.1 


/account.cgi?login-Kir 
/account.cgi?login-Rot 
/add money.cgi?amount- 
/account.cgi?login-Rot 
/transfer money.cgi?a 


1 "-" "Python-urllib/3.2" 

0 3881 "-" "Python-urllib/3.2" 
st&account=The+main+account+of+thouself HTI 
0 5886 "-" "Python-urllib/3.2" 
er&account=The+main+account+of+thouself&acc 


/account.cgi?login=Rot 
/account.cgi?login-Blu 
/add money.cgi?amount- 


@ 5886 "-" "Python-urllib/3.2" 
875 "-" "Python-urllib/3.2" 
MN account<ORBA99Y5SVDBY4RD72G7PT130N91MLI%3D 


DICTIONARY 


— 


AKB 148 KB a 


Nat 


Binary Search Tree Independent Code 


DICTIONARY 


“Кеуіп BST — SHA256 from key in dict 
٠ Value — amount of money (8 bytes) 


* BST stored in array 
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bank s 


bit.ly/ructfe 


RECOMMENDATIONS 


٠ Always change keys and passwords 
e Learn Linux administration 


* Stay positive & have fun! 


Thanks! 


Сервисы 


Nasa Rasa 


Ministry of Love Interplanetary Migration 


Authority 


Сервисы 


Health Monitor 


Tax 


Electro 


Bank 


